TL;DR
We have been tracking a large-scale Chinese smishing campaign targeting multiple regions and industries with primary focus on telecom providers, toll road system, postal services and banks.
The campaign relies on SMS-delivered phishing links that redirect victims to impersonation pages, designed as unpaid tolls, delivery issues, prizes or account-related actions. Victims are guided through a multi-step flow designed to harvest personally identifiable information (PII), payment card data, and 2FA codes.
The operators can push real-time instructions via WebSocket-based communication to dynamically control the victim session, including redirecting the victim browser to 2FA pages to capture one-time passwords (OTPs) and complete fraudulent transactions in real time.
Infrastructure analysis shows around half of the campaign’s infrastructure is behind Cloudflare. Hosting is distributed primarily across Singapore, the United States, and Japan. The most commonly abused TLDs include .cc, .icu, .com, .top, and .life, with .cc and .icu representing over 50% of the observed domains.
Campaign Attack Chain
A large-scale Chinese smishing campaign has been observed targeting users across multiple regions and industries. The campaign primarily focuses on telecom providers, toll road systems, postal and logistics services, and financial institutions, with additional targeting observed across government portals, e-commerce platforms, and travel-related services.
- Initial Access: The campaign relies on SMS-based phishing (smishing) messages containing urls that impersonate legitimate services. These messages typically reference urgent scenarios such as unpaid tolls, delivery failures, prize claims, or account verification requirements. Once accessed, victims are redirected to phishing pages designed to mimic trusted brand payment portals.
- Execution: Upon accessing the phishing page, the kit performs device fingerprinting and retrieve configuration data from the backend which determines the page behavior
- Defense Evasion: The campaign implements IP and BIN-based filtering mechanisms to screen victims before progressing further. If the victim’s IP address is found in the blacklist, access is immediately terminated. If the victim’s bin card is in the blacklist, the payment fails.
- Collection & Credential Access: The phishing campaign uses a multi-step interaction flow that collects victim data, starting from basic inputs such as email address, phone number, vehicle plate number, etc., followed by payment form pages that captures full card details.
- Command and Control (C2): For C2 it relies on a persistent WebSocket-based communication channel that enables real-time interaction between operators and victims. Through this channel, operators can send 33 distinct commands to control the victim session and modify the phishing flow.
- Exfiltration: Collected data is transmitted to the command-and-control infrastructure through encrypted HTTP POST requests
- Final Step: Upon completion of the phishing flow or operator-triggered success condition, the victim is redirected to a legitimate website specified in the phishing kit configuration
Targeted Industries
The phishing campaign targets a wide range of industries, with the following sectors ranked from most to least frequently impersonated based on observed campaign volume.
-
Telecom & Mobile: Mobile network operators and regional telecommunications providers across North America, Europe, Latin America, and Asia-Pacific (T-Mobile, Verizon, AT&T, Tigo Telecom, Orange Polska)
-
Toll Roads & Road Fees: Electronic toll collection systems, road usage payment platforms, and traffic violation services across the United States, UAE, Latin America, and Asia-Pacific (TxTag, Florida DHSMV, Salik, DARB, ENA Corredores, TAG Chile, India eChallan)
-
Postal & Parcel Delivery: National postal operators and international courier services across North America, Europe, Latin America, UAE and Asia-Pacific (USPS, Australia Post, PostNord, Emirates Post, Correios Brazil, India Post, La Poste, PostNL, Ninja Van, J&T Express, Purolator)
-
Banking & Financial Services: Retail banks, digital banking platforms, and financial institutions across the United States, Europe, Asia-Pacific, and Australia (Macquarie Bank, CommBank, Westpac, NAB, ANZ, BCA, Rakuten Bank, Raiffeisen Bank, Santander Mexico, Banco Cuscatlan)
-
Airlines & Travel: Commercial airlines and travel-related service providers (Qantas Airways)
-
Government & Tax: Government agencies, public service portals, and tax/payment systems across multiple regions (DMVs across U.S. states, Dubai Customs, TAMM, UK GOV.UK services, e-Tax Japan, Kemnaker Indonesia, NZTA)
-
E-commerce & Retail: Large-scale retail chains and e-commerce platforms across global markets (Coles, Migros, Amazon Japan, Apple Japan)
-
Brokerage & Investment: Online trading platforms and investment service providers (E*TRADE, Robinhood)
Targeted Brands
The phishing campaign impersonates a wide range of brands across multiple regions. The United States is the most heavily targeted country, accounting for the largest share of impersonated brands across telecom, DMV, toll, postal, and financial verticals. The United Arab Emirates ranks as the second most targeted country, with focused campaigns against toll road platforms, customs, and government service portals.
- United States: T-Mobile, Verizon, AT&T, Texas DMV / TxTag, Florida DHSMV, California DMV, Michigan SOS, Missouri DOR, Virginia DMV, Ohio BMV, Georgia DDS, USPS, Maryland MVA, UPS (Parcel Delivery), Illinois SOS, DHL, Massachusetts RMV, Pennsylvania DOT, Nebraska DMV, New York DMV, New Hampshire DMV, NYC CityPay, Chicago CHIPAY, City of Los Angeles Payment, Louisiana OMV, Indiana BMV, New Jersey MVC, North Carolina DMV, Utah DMV, E*TRADE, Robinhood
- United Arab Emirates: DARB Toll Road Platform, Salik Road Toll System, Emirates Post, Dubai Customs, TAMM, Parkin.
-
Australia/NZ: Qantas Airways, Macquarie Bank, CommBank, Westpac Bank, NAB Bank, ANZ Bank, Bankwest, Suncorp, Bank of Queensland (BOQ), Up Bank, ubank, HSBC Bank (AU), Australia Post, NZTA / Waka Kotahi (NZ Toll), Coles.
-
Europe: PostNord (Denmark/Sweden), DPD Parcel, Migros Supermarket (Switzerland), UK GOV.UK Winter Fuel Payment, UK GOV.UK Parking Fine, UK DVSA (Road Fines), Eurobank, PTT Turkish Post, Correos – Spanish Post, La Poste (France), Orange Polska (Poland), bpost (Belgium), PostNL (Netherlands), InPost (Poland), Endesa – Energy (Spain), Raiffeisen Bank (Switzerland), CTT Post (Portugal), Banca Intesa (Serbia), Pošta Srbije (Serbia).
- Latin America: Visa (Panama), Mastercard (Panama), Santander Mexico, Correo de Mexico (Gob MX), ENA Corredores – Toll Road (Panama), TAG Toll Road (Chile), Banco Cuscatlan (El Salvador), Correios (Brazil), Tigo Telecom (Honduras / Panama).
- Asia Pacific: JCB / MyJCB Credit Card (Japan), BCA / Bank Central Asia (Indonesia), India eChallan / Ministry of Road Transport, METI/ANRE Energy Agency (Japan), Ninja Van Malaysia, India Post, Intelcom Parcel (Canada), Rakuten Bank (Japan), e-Tax NTA (Japan), Amazon Japan, Apple Japan, Ninja Xpress (Indonesia), J&T Express (Indonesia), Kemnaker – Ministry of Manpower (Indonesia), Purolator Parcel (Canada).
This campaign demonstrates how convincingly threat actors can replicate trusted brands at scale. If your organization’s name, domain, or visual identity is being used in phishing and brand impersonation attacks, you may not know until customers start reporting it. DeXpose’s Brand Protection service monitors for lookalike domains, phishing pages, and impersonation infrastructure targeting your brand before your cstomers become victims.
Phishing Flow Overview
The investigation was initiated following client reports of SMS messages received as part of an SMS phishing (smishing) campaign. The messages contained links delivered via SMS from multiple phone numbers, impersonating the official DARB (Abu Dhabi Tolling System) platform.
The URL impersonates the DARB platform login page and presents itself as a portal for querying unpaid highway toll fees. It requests users to enter their vehicle plate number and mobile number.
After entering the vehicle plate number and phone number, a “Toll Violation Notice” is displayed, showing an outstanding amount of AED 4.00.
The page warns that failure to complete payment within the specified timeframe may result in increased fees, referral to a collection agency, and suspension of vehicle registration.
After clicking “Continue,” the user is redirected to a payment form requesting card details.
Campaign Infrastructure Analysis
Approximately half of the campaign’s domains were observed behind Cloudflare, while the remaining infrastructure was distributed across several network providers and autonomous systems, including Alibaba (US) Technology Co., Ltd. (AS45102) and Tencent (AS132203).
We also observed Nginx and OpenResty across the campaign infrastructure.
Domains Involved in the Campaign
Across all domains associated with this phishing campaign, our team identified the use of several top-level domains (TLDs). The most frequently observed TLDs were: “.cc,” “.icu,” “.com,” “.top,” and “.life.”
Notably, “.cc” and “.icu” together represented more than 50% of all domains used in the campaign.
Geolocation of the Phishing Infrastructure
Analysis of the campaign’s hosting infrastructure shows that the majority of associated IP addresses are geolocated in Singapore and the United States, representing 43.88% and 32.12% of the infrastructure respectively. This is followed by Japan, which represents 14.42% of the observed IP distribution. A smaller portion of the infrastructure is spread across other regions, including Indonesia (3.04%) and Hong Kong (2.42%), with the remaining 4.13% distributed across various other countries.
Inside the Phishing Kit
This phishing kit consistently relies on six JavaScript files: common.js, axios.js, vue.js, main.js, check.js, and ws-worker.js as well as API endpoints: getSyncSettings, addClick, addCvv and the_final_interface, and others. These files and endpoints are present across nearly all domains in the campaign.
main.js
Main.js (and other JS files) are obfuscated with a a multi-layered obfuscation strategy consistent with a known JavaScript Obfuscator (obfuscator.io). At its core, string literals are extracted into a dynamically accessed array and decoded at runtime using a Base64-based decoder combined with decodeURIComponent, which makes it hard for static string analysis.
It uses control flow flattening to hide the true execution order by restructuring sequential logic into dispatcher-based loops, which makes the program flow difficult to follow during analysis. Also, it has anti-tampering and anti-debugging mechanisms, using prototype-based checks that validate function.toString() output against a regular expression to detect debugging tools or modified execution contexts.
In addition, identifiers are renamed to obfuscated formats, numeric values are represented in hexadecimal, and remaining string literals are fragmented.
To deobfuscate the files, a dedicated tool that reverses Obfuscator.io’s transformations can be used, such as obf-io.deobfuscate.io.
Device fingerprinting
When a victim accesses the phishing domain, the kit does device fingerprinting, where the IP address is collected using IP-related APIs and normalized into a unified schema {ip, country, latitude, longitude}. Additionally, it gathers device and environment details such as OS, browser info, user agent, time zone, and language.
IP & BIN Blacklist
The phishing kit includes IP and BIN blacklists (retrieved from /api/open/getSyncSettings). When a victim accesses the phishing URL, the kit compares the victim’s IP address against the blacklist, if a match is found, the access to the site is denied.
The IP blacklist also includes labels indicating the reason (in Chinese) for blocking each IP.
| Chinese | English Translation |
|---|---|
| 完成支付 | Complete payment |
| 手动拉黑 | Manually block |
| 人机验证失败 | Human-machine verification failed |
When a user enters a card with a blacklisted BIN, the phishing site automatically declines the payment and shows the message:
“This card type isn’t supported. Please try another card or payment method.”
Real-Time Operator Commands
The operator panel can push real-time instructions via WebSocket-based communication to redirect the victim’s browser. For example, the operator can redirect the victim to a verification page to capture a real-time 2FA code. A total of 33 different instructions were identified, with the most important including:
d_sms_bank.html
Simulates Abu Dhabi Commercial Bank (ADCB) 2FA SMS verification.
g_app.html
Simulates a bank payment processing flow, instructing victims to approve a transaction through a mobile banking application.
f_pin.html
Simulates a payment verification step, prompting victims to enter a 4–6 digit PIN to authorize the transaction.
e_email.html
Simulates an email-based payment authentication step, prompting victims to enter a 6-digit verification code sent to their registered email address.
common.js
The common.js file defines several fields; however, the two key fields that we are interested in are projectName and errorJumpAddress. The projectName field acts as an internal identifier or tag for the impersonated entity. For domains impersonating DARB, this field has the value AE-FANDAN-DARB, which refers to the United Arab Emirates (AE) and the DARB toll system.
The errorJumpAddress field specifies the legitimate URL of the impersonated entity and is used to redirect victims after a payment is completed. In this case, it redirects to https://darb.qmobility.ae/RucWeb/tolling-policies.
ws-worker.js
The ws-worker.js is responsible for maintaining a persistent, real-time communication channel between the victim’s browser and the operator’s C2 infrastructure.
The script establishes a WebSocket connection to the C2 server via the /webSocket/QT endpoint and keeps it alive via a heartbeat every 5 seconds. If a heartbeat_ACK isn’t received within 3 seconds, it force-closes and reconnects.
It specifically listens for binLookupResult and binQueryResult message types, which allows the operator to check the victim’s card details in real time.
A secondary polling loop runs in parallel, querying /api/open/getPendingInstruction endpoint every 2 seconds using the victim’s cvv_id as a session identifier. This acts as a fallback channel in case the WebSocket drops.
All HTTP communication through the polling channel is is encrypted using AES-CTR with a freshly generated random 32-byte key and 16-byte IV per request. The key and IV are embedded within the ciphertext, and the entire blob is transmitted as application/octet-stream.
getSyncSettings & addClick API endpoints
The phishing domain fetches the /api/open/getSyncSettings API to retrieve the configuration of the phishing kit, which determines its behavior. It includes settings such as bin_blacklist (used to block specific card BINs) and ip_blacklist (used to block certain IP addresses), etc.
When a user clicks on the phishing domain, the /api/open/addClick endpoint sends the victim’s IP address and the accessed phishing domain, along with other data. If success it returns {“status”:”success”,”code”:200,”data”:null,”msg”:”操作成功”}. The message “操作成功” translates to “Operation Successful” in Chinese.
Exfiltration
The exfiltration is performed through two API endpoints: /api/open/addCvv and /api/open/the_final_interface.
Data harvested from the phishing pages is stored within the cvvform structure and sent in encrypted form to /api/open/addCvv on every form submission, including personal information, credit card details, and PIN code pages.
When the victim reaches the “Thank You” page (z_thank.html), indicating a successful payment flow, or when the operator issues a to_success instruction, the kit sends a final POST request to /api/open/the_final_interface. This request contains the fully accumulated cvvform data in encrypted form.. After that, the victim is redirected to the legitimate domain specified in the errorJumpAddress field within common.js.
Exfiltrated Data Structure (cvvform):
{
"id": "",
"firstname": "",
"lastname": "",
"fullname": "",
"country": "",
"state": "",
"city": "",
"postcode": "",
"address1": "",
"address2": "",
"phoneNumber": "",
"email": "",
"email_pwd": "",
"two_factor_authentication": "",
"gender": "",
"ssn": "",
"dob": "",
"passport_number": "",
"license_number": "",
"medical_number": "",
"ssn_img": "",
"ssn_handheld_img": "",
"passport_img": "",
"passport_handheld_img": "",
"license_img": "",
"license_handheld_img": "",
"medical_img": "",
"medical_handheld_img": "",
"cvv_fullName": "",
"cvv_cardnumber": "",
"cvv_expiry": "",
"cvv_cvv": "",
"cvv_frontImg": "",
"cvv_backImg": "",
"cvv_handheld_img": "",
"cvv_brand": "",
"cvv_type": "",
"cvv_category": "",
"cvv_issuer": "",
"cvv_country": "",
"cvv_pin": "",
"ip": "",
"device": "",
"language": "",
"timeZone": "",
"userAgent": "",
"cookie": "",
"source": "",
"extraJSON": "",
"web_login_account1": "",
"web_login_pwd1": "",
"web_login_type1": "",
"web_login_account2": "",
"web_login_pwd2": "",
"web_login_type2": "",
"web_login_account3": "",
"web_login_pwd3": "",
"web_login_type3": "",
"paypal_login_account": "",
"paypal_login_pwd": "",
"operator_by": "",
"update_time": "",
"state1": "",
"state2": "",
"state3": "",
"operational_status": "",
"current_page": "",
"online_status": "",
"custom_phone": "",
"custom_email": "",
"custom_news": "",
"operation_code": "",
"release_code": "",
"latitude": "",
"longitude": "",
"card_submission_type": "",
"belong_to_template": "",
"custom_form_data": ""
}
Chinese Indicators in Operator Activity
We analyzed the phishing kit’s JS files and endpoint responses, we found that the kit sends status strings to the operator in Chinese, we suggest that the operator may be working through a Chinese-language control panel.
Examples of these status strings include:
| Chinese | English Translation |
|---|---|
| 同步卡提交 | Synchronization card submission |
| 提交卡信息 | Submit card information |
| 提交卡信息,需操作! | Submit card information, action required! |
| 提交卡信息,Luhn算法校验失败自动拒绝 | Submitted card information, Luhn algorithm verification fails and automatic rejection occurs. |
The exfiltrated data from the phishing site (e.g., credit card details and victim profile information) is sent to the API endpoints in JSON format, with several fields containing Chinese strings.
And as previously mentioned, the IP blacklist has the reason why the IP is blacklisted in Chinese language.
This consistent use of Chinese language across the phishing kit makes us believe that this phishing campaign is likely associated with a Chinese-speaking threat group.
Pivoting using Domain Patterns
These domains were the initial pivot point for uncovering the whole campaign.
darb[.]itc[.]gov[.]ae-cert[.]com darb[.]itc[.]gov[.]ae-docs[.]com darb[.]itc[.]gov[.]ae-spot[.]com darb[.]itc[.]gov[.]ae-area[.]com
It was found that these domains resolve to the same IP, and all the resolved domains have the same pattern (darb.itc.gov.ae-*.com).
To better understand the scope of the campaign, a pattern-based search was conducted on urlscan.io to identify additional lookalike domains.
query: page.url.keyword:/.*darb\.itc\.gov\.ae-.*\.com.*/
As shown in the screenshot above, numerous domains follow the same pattern.
One of these domains, darb[.]itc[.]gov[.]ae-qoex[.]com, resolves to an interesting IP, 43[.]160[.]249[.]131. This IP resolves to different patterns of DARB-impersonating domains.
The pattern (darb.qmobil*.com) is interesting, so we conducted another pattern-based search on urlscan.io to identify additional domains and IPs.
query: page.domain:/darb\.qmobil[a-z]+\.com/
Pivoting using API Endpoints & JS Files
To better understand the scope of the campaign and identify whether other organizations (e.g., companies or government entities) are being impersonated, we used previously observed phishing kit artifacts, specifically the recurring JavaScript files and API endpoint structures, as pivoting indicators.
As mentioned earlier, domains associated with the campaign host the same JavaScript files, including check.js, main.js, common.js, vue.js, and axios.js, and interact with similar API endpoints, such as /api/open/addClick and /api/open/getSyncSettings.
Rather than relying solely on domain patterns, which may vary across different domains and TLDs, this approach provides more reliable linkage based on shared backend behavior and resource reuse.
To hunt for more infrastructure, a combination of these indicators (JS files and API endpoints) will be used in the query rule.
query: filename:"common.js" && filename:"main.js" && filename:"getSyncSettings"
The query returned a large number of hits.
URLScan returned a large number of domains impersonating government entities, postal services, and companies across multiple regions. Most of the domains are impersonating:
- United Arab Emirates: DARB Toll Road Platform, Salik, TAMM, Emirates Post, Dubai Customs
- United States: DMV / State Motor Vehicles
- Australia: Qantas Airways, Macquarie Bank, Commonwealth Bank.
- Other targets include T-Mobile, AT&T, DPD Parcel, PostNord, Verizon, and others.
We used this query in the URLScan API to help in the extraction of IP addresses and filter results according to our criteria, reducing false positives. The query returned a large number of IP addresses. After filtering out Cloudflare-related infrastructure, we identified over 105 unique IPs linked to this campaign.
ANY.RUN TI Lookup can also be used to identify additional infrastructure using a similar query approach.
Targeted Entities & Phishing Infrastructure
| Targeted Entity | Region | Legitimate Domain | Phishing Domain |
|---|---|---|---|
| DARB Toll Road Platform | UAE | darb.qmobility.ae | darb-qmobilitya.com |
| Salik (Road Toll System) | UAE | salik.ae | salik.ae.billb.top |
| Emirates Post | UAE | emiratespost.ae | emiratespost.pacnsz.top |
| Dubai Customs | UAE | dubaitrade.ae | dubai.aeizt.top |
| Parkin (Parking) | UAE | parkin.ae | parkin-ae.mom |
| TAMM (Abu Dhabi Government Services) | UAE | tamm.abudhabi | trcx.top |
| T-Mobile (Telecom) | USA | t-mobile.com | t-mobile.agbhp.icu |
| Verizon (Telecom) | USA | verizon.com | verizon.acxdn.icu |
| AT&T (Telecom) | USA | att.com | att.abozs.cc |
| Texas DMV / TxTag (Toll) | USA | txdmv.gov | txdmv.akdyn.cc |
| Florida DHSMV (Motor Vehicles) | USA | flhsmv.gov | flhsmv-gov.dashl.bar |
| California DMV | USA | dmv.ca.gov | ca.gov-zae.cfd |
| Michigan SOS (Driver Services) | USA | michigan.gov | michigan.akerq.life |
| Missouri DOR (Motor Vehicles) | USA | dor.mo.gov | dor-mo.govaio.shop |
| Virginia DMV | USA | dmv.virginia.gov | dmv-virginia.govcwg.cfd |
| Ohio BMV | USA | bmv.ohio.gov | bmv-ohio.govadn.cfd |
| Georgia DDS (Driver Services) | USA | dds.georgia.gov | dds-georgia.dvart.icu |
| USPS (United States Postal Service) | USA | usps.com | adups.thedsihdhusps.com |
| Maryland MVA (Motor Vehicles) | USA | mva.maryland.gov | mva-maryland.ftasd.life |
| UPS (Parcel Delivery) | USA | ups.com | infonotice.cyou |
| Illinois SOS (Driver Services) | USA | ilsos.gov | idot-ilsos.yhbk.shop |
| Massachusetts RMV | USA | mass.gov/rmv | mass.adoxv.icu |
| Pennsylvania DOT (Driver Services) | USA | pa.gov | pa.cjqez.life |
| Nebraska DMV | USA | dmv.nebraska.gov | nebraska.govbv.life |
| New York DMV | USA | dmv.ny.gov | ny.eikdy.life |
| New Hampshire DMV | USA | dmv.nh.gov | dmvnhgov.top |
| NYC CityPay (Parking/Tolls) | USA | a836-citypay.nyc.gov | citypay-nyc.grdlv.icu |
| Chicago CHIPAY (Parking) | USA | chicago.gov | parkingtickets-chicago.bsixn.icu |
| City of Los Angeles Payment | USA | ladot.lacity.gov | hla3gh.cn |
| Louisiana OMV (Motor Vehicles) | USA | expresslane.org | expresslane.nsqid.life |
| Indiana BMV | USA | in.gov/bmv | in.govvcu.shop |
| New Jersey MVC | USA | nj.gov/mvc | nj.cdsyn.life |
| North Carolina DMV | USA | ncdot.gov/dmv | ncdot.gov-dmvw.life |
| Utah DMV | USA | dmv.utah.gov | utah.grtlf.life |
| E*TRADE (Financial) | USA | etrade.com | etrade.com-jm.cfd |
| Robinhood (Financial) | USA | robinhood.com | seurr.sbs |
| Qantas Frequent Flyer | Australia & New Zealand | qantas.com | qantas.rewardsar.top |
| Macquarie Bank | Australia & New Zealand | macquarie.com | macqrewardc-homes.cc |
| CommBank / CommSec | Australia & New Zealand | commbank.com.au | cbaawardspointsql.cc |
| Westpac Bank | Australia & New Zealand | westpac.com.au | 2026-westpac.vip |
| ANZ Bank | Australia & New Zealand | anz.com.au | anz2025redeem.top |
| NAB Bank | Australia & New Zealand | nab.com.au | nabbenifits12705.top |
| Australia Post | Australia & New Zealand | auspost.com.au | aupostinfos.top |
| Bankwest | Australia & New Zealand | bankwest.com.au | bankwest-ac.cc |
| Coles | Australia & New Zealand | coles.com.au | coles-creditrewards.257887.com |
| Up Bank | Australia & New Zealand | up.com.au | myupbank.vip |
| Suncorp Bank | Australia & New Zealand | suncorp.com.au | suncorp-rewards.052758.com |
| Bank of Queensland (BOQ) | Australia & New Zealand | boq.com.au | boq-rewards.003061.com |
| ubank | Australia & New Zealand | ubank.com.au | ubanks2026.vip |
| NZTA / Waka Kotahi (NZ Toll) | Australia & New Zealand | nzta.govt.nz | nzta.govt-billi.top |
| PostNord (Denmark/Sweden) | Europe | postnord.dk | ddsv-dk.cfd |
| DPD Parcel (Europe) | Europe | dpd.com | atdpd-post.top |
| Migros Supermarket (Switzerland) | Europe | migros.ch | migroreward.top |
| UK GOV.UK Winter Fuel Payment | Europe | gov.uk | acmjflepw.qpon |
| Eurobank (Greece) | Europe | eurobank.gr | bonus-eurobank.cc |
| PTT Turkish Post | Europe | ptt.gov.tr | ptt-gav.life |
| Correos (Spanish Post) | Europe | correos.es | correos–es.top |
| La Poste (France) | Europe | laposte.fr | adressedelivraison.click |
| DHL (Germany) | Europe | dhl.de | dhl.sfakky.help |
| UK DVSA (Road Fines) | Europe | gov.uk | dvsa-govuk.cfd |
| Orange Polska (Poland) | Europe | orange.pl | orangeplo.lat |
| bpost (Belgium) | Europe | bpost.be | be-post-bpost.cfd |
| PostNL (Netherlands) | Europe | postnl.nl | gls-postnl.help |
| InPost (Poland) | Europe | inpost.pl | inpostt-pl.cfd |
| Endesa – Energy (Spain) | Europe | endesa.com | al.es-endes-gov.com |
| Raiffeisen Bank (Switzerland) | Europe | raiffeisen.ch | raiffeisen.625515.com |
| CTT Post (Portugal) | Europe | ctt.pt | cttpostylprts.shop |
| Banca Intesa (Serbia) | Europe | bancaintesabeograd.com | www.bancaintesa.shop |
| Post Express / Posta Srbije (Serbia) | Europe | postexpress.rs | posta.rest |
| UK GOV.UK Parking Fine | Europe | gov.uk | park-pcnqlh.top |
| JCB / MyJCB Credit Card (Japan) | Asia Pacific | jcb.co.jp | electrrock.hfiwrk.cn |
| BCA / Bank Central Asia (Indonesia) | Asia Pacific | bca.co.id | bca-integral-ck.top |
| India eChallan / Ministry of Road Transport | Asia Pacific | echallan.parivahan.gov.in | echallanceseh-in.top |
| METI/ANRE Energy Agency (Japan) | Asia Pacific | enecho.meti.go.jp | caaul.cn |
| Ninja Van Malaysia | Asia Pacific | ninjavan.co | ninjavan.ygpxdy.help |
| India Post | Asia Pacific | indiapost.gov.in | india-post-gov.help |
| Intelcom Parcel (Canada) | Asia Pacific | intelcom.ca | intelcom-ca.icu |
| Rakuten Bank (Japan) | Asia Pacific | rakuten-bank.co.jp | template.lingruisheng.com |
| e-Tax NTA (Japan) | Asia Pacific | e-tax.nta.go.jp | 89.213.174.93 |
| Amazon Japan | Asia Pacific | amazon.co.jp | amazonjp.shop |
| Apple Japan | Asia Pacific | apple.com | bbmcz.com |
| Ninja Xpress (Indonesia) | Asia Pacific | ninjaxpress.co | ninjaxpress.smbrtm.help |
| J&T Express (Indonesia) | Asia Pacific | jet.co.id | jtexpress.plklvj.help |
| Kemnaker – Ministry of Manpower (Indonesia) | Asia Pacific | kemnaker.go.id | kemnaker.npcvog.help |
| Purolator Parcel (Canada) | Asia Pacific | purolator.com | purollator.568128.vip |
| Visa (Panama) | Latin America | visa.com | visa-panama.icu |
| Mastercard Panama (Priceless Specials) | Latin America | mastercard.com | mastercard-cash.com |
| Tigo Telecom (Honduras/Panama) | Latin America | tigo.com.pa | premioshtigo.club |
| Santander Mexico | Latin America | santander.com.mx | santander-mx.club |
| Correo de Mexico (Gob MX) | Latin America | correosdemexico.gob.mx | gobmxcorreodemexico.top |
| ENA Corredores – Toll Road (Panama) | Latin America | ena.com.pa | ena-xpa.com |
| TAG Toll Road (Chile) | Latin America | tagtotal.cl | tag-cl.top |
| Banco Cuscatlan (El Salvador) | Latin America | bancocuscatlan.com | cuscatlan.kndmw.help |
| Correios (Brazil) | Latin America | correios.com.br | mycorreiosbr.icu |
| HSBC Bank | Multi-Country | hsbc.com | 2026hsbc.cc |
Indicators of Compromise (IOCs)
43[.]165[.]133[.]137 43[.]128[.]84[.]136 43[.]160[.]248[.]36 47[.]90[.]164[.]225 47[.]253[.]81[.]117 43[.]162[.]108[.]157 8[.]219[.]239[.]111 43[.]160[.]202[.]101 43[.]160[.]206[.]90 43[.]165[.]198[.]94 43[.]156[.]234[.]103 43[.]162[.]124[.]181 47[.]89[.]252[.]221 43[.]160[.]249[.]131 47[.]252[.]25[.]174 47[.]90[.]164[.]222 43[.]165[.]68[.]78 43[.]159[.]39[.]19 47[.]251[.]1[.]16 43[.]160[.]247[.]80 43[.]164[.]129[.]208 47[.]251[.]0[.]95 47[.]90[.]171[.]135 8[.]217[.]187[.]47 47[.]86[.]80[.]250 43[.]160[.]193[.]44 43[.]160[.]206[.]15 43[.]134[.]76[.]73 43[.]160[.]252[.]12 43[.]160[.]194[.]44 43[.]162[.]102[.]191 47[.]238[.]155[.]15 47[.]82[.]235[.]111 43[.]165[.]197[.]228 43[.]153[.]214[.]244 43[.]165[.]125[.]52 43[.]162[.]127[.]254 43[.]160[.]247[.]29 47[.]253[.]254[.]189 43[.]164[.]3[.]97 43[.]128[.]88[.]156 43[.]165[.]195[.]9 43[.]134[.]90[.]69 150[.]109[.]6[.]13 47[.]253[.]108[.]13 47[.]85[.]56[.]71 43[.]165[.]126[.]186 8[.]222[.]243[.]235 43[.]165[.]63[.]110 43[.]160[.]252[.]215 43[.]160[.]244[.]84 137[.]220[.]221[.]138 47[.]253[.]254[.]114 47[.]253[.]154[.]26 47[.]251[.]27[.]123 47[.]90[.]154[.]132 43[.]162[.]111[.]74 45[.]203[.]220[.]21 43[.]165[.]61[.]250 43[.]160[.]233[.]85 43[.]165[.]62[.]180 47[.]253[.]228[.]218 43[.]165[.]5[.]23 43[.]160[.]246[.]56 43[.]160[.]241[.]151 43[.]160[.]234[.]26 216[.]173[.]64[.]137 196[.]251[.]73[.]238 147[.]189[.]161[.]32 89[.]213[.]174[.]93 47[.]90[.]249[.]139 47[.]88[.]89[.]119 43[.]167[.]236[.]68 43[.]165[.]197[.]71 43[.]162[.]123[.]72 43[.]160[.]238[.]161 43[.]160[.]199[.]147 43[.]156[.]47[.]224 43[.]134[.]179[.]112 38[.]180[.]242[.]70 206[.]238[.]221[.]177 196[.]251[.]72[.]70 185[.]224[.]129[.]181 156[.]235[.]89[.]39 154[.]82[.]110[.]218 129[.]226[.]159[.]121 49[.]51[.]38[.]141 47[.]253[.]213[.]253 47[.]86[.]58[.]26 43[.]166[.]168[.]99 43[.]165[.]62[.]180 43[.]165[.]4[.]195 43[.]165[.]4[.]179 43[.]164[.]197[.]178 43[.]162[.]108[.]181 43[.]160[.]242[.]47 43[.]160[.]240[.]218 43[.]160[.]208[.]59 43[.]160[.]195[.]64 43[.]159[.]48[.]211 43[.]153[.]1[.]139 43[.]134[.]114[.]194 43[.]134[.]112[.]30 43[.]165[.]61[.]250 150[.]109[.]6[.]13 43[.]157[.]83[.]74 43[.]134[.]76[.]73 47[.]85[.]56[.]71
MITRE ATT&CK Mapping
| Tactic ID | Tactic Name | Technique |
|---|---|---|
| TA0001 | Initial Access | T1566.003 · Phishing: Spearphishing via Service |
| TA0002 | Execution | T1204.001 · User Execution: Malicious Link |
| TA0002 | Execution | T1059.007 · Command and Scripting Interpreter: JavaScript |
| TA0005 | Defense Evasion | T1027 · Obfuscated Files or Information |
| TA0005 | Defense Evasion | T1140 · Deobfuscate/Decode Files or Information |
| TA0005 | Defense Evasion | T1622 · Debugger Evasion |
| TA0005 | Defense Evasion | T1036.005 · Masquerading: Match Legitimate Name or Location |
| TA0005 | Defense Evasion | T1665 · Hide Infrastructure |
| TA0007 | Discovery | T1082 · System Information Discovery |
| TA0007 | Discovery | T1614 · System Location Discovery |
| TA0006 | Credential Access | T1056.003 · Input Capture: Web Portal Capture |
| TA0006 | Credential Access | T1111 · Multi-Factor Authentication Interception |
| TA0009 | Collection | T1119 · Automated Collection |
| TA0011 | Command and Control | T1071.001 · Application Layer Protocol: Web Protocols |
| TA0011 | Command and Control | T1573.001 · Encrypted Channel: Symmetric Cryptography |
| TA0011 | Command and Control | T1008 · Fallback Channels |
| TA0010 | Exfiltration | T1041 · Exfiltration Over C2 Channel |
